[00:00.000 --> 00:11.660]  We've long talked about gender and racial issue diversity in cyber security, but it would be a missed opportunity if we didn't talk about the Black Lives Matter movement and its relevance to technology in our field.
[00:13.420 --> 00:29.320]  Technology and social systemic issues have frequently been perceived as diametrically opposed, but in fact they absolutely overlap and technology can both be an accelerant, as well as an ability to fix some of these larger systemic issues that we're facing.
[00:30.000 --> 00:48.420]  So assuming that everything that we're working on, we're all trying to build the safest version of that for our communities, I posit that the absence of diversity or the homogeneity in thought is in fact an attack vector that has not been sufficiently mitigated in our ecosystem.
[00:49.460 --> 01:05.440]  So first things first, is diversity in cyber security really a problem? In a survey of 9500 US cyber security professionals, it was found to be that minorities represented 26%, which is slightly higher than the US national average, which is 21%.
[01:06.140 --> 01:15.680]  That same survey found that the ethnic and racial minorities are actually consistently not holding top managerial positions.
[01:15.680 --> 01:21.680]  And that pay inequity, especially for minority women, continues to be a real challenge.
[01:22.120 --> 01:33.900]  Now diversity comes in many forms, of course. It's not just race, gender, sexual orientation. But if we believe that talent is equally distributed across a population,
[01:33.900 --> 01:42.680]  any under-representation by one of these groups in our field means that we have less talent in our group than there is in the total workforce.
[01:42.680 --> 01:49.560]  And we deal with some really hard challenges in cyber security. We need that talent to actually build solutions.
[01:50.780 --> 01:57.480]  So maybe the first question we can ask ourselves, how do we broaden those that are attracted to cyber security?
[01:57.500 --> 02:10.000]  One of the interesting things about cyber security is that it's often perceived as this very technical field. But at the end of the day, it's about people interacting with technology and information.
[02:10.000 --> 02:14.240]  But that isn't always obvious to people looking at the field from the outside.
[02:14.820 --> 02:25.260]  This common misperception of a purely technical discipline means that in even more people-facing roles, we tend to have people with technical backgrounds.
[02:25.360 --> 02:29.240]  That seems like a missed opportunity to include more people in our ecosystem.
[02:31.620 --> 02:40.360]  Calls for diversity are frequently met with the argument that raising one group above others gives them an unfair advantage in society.
[02:40.580 --> 02:48.780]  So how can we actually make meaningful change? We need to focus on more than recruitment, even though that is absolutely important and critical.
[02:48.820 --> 02:56.100]  We need to think about how do we encourage a broader group of people to even consider coming to work in the cyber security.
[02:56.100 --> 03:07.980]  That requires thinking about the different ways into security, the training that we offer people coming into the field, and are we building tools that make it an accessible place for them to work and be successful.
[03:08.060 --> 03:15.180]  We need to find pathways into security where anyone who wants to be involved is able to get involved.
[03:15.360 --> 03:20.880]  Hiring for skill and passion and not just the right certification or a college degree.
[03:20.880 --> 03:27.740]  Salesforce and Google have recently shared technical training and it's free and available to all.
[03:27.740 --> 03:35.160]  It seems like an advanced step to try to change some of the systemic issues about access to technical education.
[03:35.160 --> 03:40.260]  And it also seems like an effort to change our definition of what is qualified.
[03:40.420 --> 03:47.640]  It takes effort to understand different backgrounds, different education, different experiences.
[03:47.640 --> 03:58.660]  But the unconscious bias that we're potentially placing on qualifications can be something that we aren't aware of because we just don't know it's a problem.
[03:58.940 --> 04:06.900]  It's built into our culture, but we need to expose these moments of unconscious bias and find new ways to think about it.
[04:07.060 --> 04:14.600]  The formal paths that we follow for recruitment have historically not always created diverse teams.
[04:14.600 --> 04:16.520]  So we need to think outside.
[04:16.520 --> 04:29.180]  One way is to partner with organizations that are intentionally targeting diverse populations that are trying to get into the field, like the International Consortium of Minority Cybersecurity Professionals.
[04:29.460 --> 04:38.200]  And if the oversubscribed women-only cybersecurity conferences are any indicator, there are plenty of women that are trying to get into the field.
[04:38.960 --> 04:46.340]  So with all this discussion about attracting diverse talent, it would be remiss of me to not discuss retaining this talent.
[04:46.520 --> 04:53.440]  How do we keep teams from burning out and protect them from the stress that comes with cybersecurity?
[04:53.820 --> 05:00.380]  A significant number of security professionals seek to leave this field every year.
[05:00.840 --> 05:10.520]  Security can be so demanding that one survey found that 50% of security professionals think about taking a lower paid job because it's so stressful.
[05:11.060 --> 05:17.260]  Or two-thirds of people have considered leaving the field entirely because the demand is too high.
[05:18.360 --> 05:27.660]  This means we need to change how we support each other, not just managing and mentoring each other so that we are continually growing and careers are progressing.
[05:27.940 --> 05:39.860]  But we need to think about giving our people meaningful training so that they can understand how to be resilient and deal with the fact that they are on the front lines of trying to defend an organization.
[05:40.520 --> 05:50.740]  So taking a page from threat modeling, how can we think about diversity or homogeneity of thought as a potential attack vector that we need to consider?
[05:51.340 --> 05:56.480]  Every gap in a process where data moves from one team to the next.
[05:56.640 --> 06:05.500]  Every assumption a developer or a defender makes about how a system will work or how a user will interact with that system.
[06:05.580 --> 06:09.420]  Those are the cracks that an attacker can try to exploit.
[06:10.520 --> 06:20.320]  And if everyone in the security team thinks the same way, has the same way of working, these attack vectors will continue to crop up.
[06:20.580 --> 06:29.760]  Getting a wider range of people into cybersecurity is not just equitable. It's truly our best chance at doing something meaningful with security.
[06:30.340 --> 06:34.220]  And we've seen how security can have a big impact on society.
[06:34.220 --> 06:45.220]  In the 2016 U.S. presidential elections, the campaign trail brought to mainstream society something that this community has long preached.
[06:45.360 --> 06:49.550]  Securing unstructured data, such as email, is critical.
[06:50.200 --> 07:02.410]  The 2016 election further saw Russian disinformation that intentionally targeted Black communities, using fake accounts on every social media platform to share racially charged posts.
[07:02.410 --> 07:09.870]  Whether such efforts had a significant effect on the election or not is hard to determine, and not the intention of this talk.
[07:09.990 --> 07:18.130]  Instead, it seems like an opportunity to reflect and think, how did the authentication model fail on these social media platforms?
[07:18.310 --> 07:30.870]  What aspect of spoofing was not considered? Or perhaps it was never a use case that would be thought of that charged racially political ideas would be shared on these platforms.
[07:31.870 --> 07:39.730]  Unfortunately, we haven't seen it stop with these elections either, but it's continued in the targeting of BLM activists by cyber criminals.
[07:39.950 --> 07:44.150]  This spring, we've seen DDoSers attack BLM groups.
[07:44.430 --> 08:00.130]  CloudFare reported that those groups that identified as advocacy-focused saw a 1,120 times increase in attacks on their organizations just from May to April, and that's in comparison to the broader ecosystem.
[08:00.870 --> 08:05.310]  Racism breeds distrust in systems and institutions.
[08:05.310 --> 08:13.020]  We saw how technology furthered this problem in the implementation of the U.S. facial recognition protocol at borders.
[08:13.630 --> 08:21.350]  NIST found examples of age, gender, and race bias in several widely implemented systems,
[08:21.350 --> 08:38.730]  to the extent that all except the top performing ones had a 10 to 100 times higher likelihood of misidentifying African American, Alaskan Indian, Pacific Islander, and Asian American faces in comparison to their Caucasian counterparts.
[08:39.610 --> 08:47.830]  Technology and policy mitigations need to be implemented where society, systems, and technology have weaknesses.
[08:47.830 --> 09:02.970]  While the BLM movement has resulted in highlighting the need to dismantle systemic racism, technology is the accelerant that can take this from a city-by-city initiative and instead build anti-racism into our collective ecosystem.
[09:03.530 --> 09:12.070]  The people in this community are at an exciting time in healthcare. Everything is getting connected. Insightful data is being gathered.
[09:12.070 --> 09:18.290]  We're on the cusp of actually having true personalized medicine because of the treasure trove of data that we're getting.
[09:18.870 --> 09:31.830]  But as you work to develop these systems and these amazing interventions, we also need to ask ourselves, what can we do to ensure that cybersecurity alleviates the systemic bias that exists today?
[09:32.890 --> 09:44.790]  So true in threat modeling and true in thinking about diversity, here are 10 things to think about that might stop you from thinking about diversity, but they really shouldn't.
[09:45.350 --> 09:55.790]  Number one, don't be afraid to ask questions. Try to build a community and an ecosystem where it's safe to ask questions and get engaged in a dialogue and to be wrong.
[09:55.790 --> 10:05.070]  Number two, you're never going to be done. This is an ongoing process that will consistently change as technology evolves and as our community changes.
[10:05.990 --> 10:18.390]  Number three, there is no one way to pursue this. It's a complicated issue that has evolved over a long period of time and will require a complicated solution in all likelihood.
[10:18.390 --> 10:31.530]  Number four, this takes more than just one skill set. Just like effective security requires a wide variety of skill sets to be successful, this too will require variants and capabilities.
[10:32.310 --> 10:38.030]  Number five, this isn't going to be easy. It's going to take time and it's going to take effort.
[10:38.770 --> 10:46.190]  Number six, this isn't just for the experts to solve. We all have a role to play and can contribute in a meaningful way.
[10:46.190 --> 10:54.570]  Number seven, accept that you're probably going to focus on the wrong thing at some point. And that's okay. That's part of learning.
[10:55.230 --> 11:05.770]  Number eight, find an ally to help guide you. There are many in this community and outside of it that are willing to share and help us as we grow and change.
[11:06.010 --> 11:12.590]  Number nine, don't dismiss the interplay of societal change and how it impacts cybersecurity.
[11:12.590 --> 11:19.310]  And number 10, there's no right time to start this, but this certainly feels like a great inflection point.
[11:19.710 --> 11:26.090]  So thank you for your time. I'd love to open up the conversation if that's something that we're able to do. Take care.
